I've been reading and re-reading "Chapter 12. Group Mapping: MS Windows
and UNIX", Mailing list messages with the subjects "valid users = +group
doesn't work" and "Unix ADS group membership or vice versa" and all I've
gotten is more confused.

I have to move my samba servers from a Samba PDC environment to Active
Directory (AD) where they will be member servers. I will NOT be able to
make ANY changes to the AD configuration: it is dictated and controlled
by those "on high." I cannot add any groups to AD. I can only
manipulate the membership of the UNIX groups on my servers.

I already have a test samba server (3.0.28a) as a member of AD.

What I want is to be able to control access to "shares" using lines like
"valid user +www" in smb.conf as I have in the past. The groups I want
to use are the UNIX groups on the AD member samba server. I have added
AD users as members of the UNIX groups in /etc/group

It looks like Samba AD member servers will NOT look at local UNIX groups
to check and see if an AD account is a member of the UNIX group. I do
not want to have to map each and every AD user to a corresponding local
user - I thought accessing AD would cut down on the account management
workload, not increase it.

I fail to see where windbind's nested groups will help me solve this
problem - as presented in the docs it seems to solve an MS Windows issue
that I do not have. Perhaps I still do not understand what that the
nested group is supposed to provide.

Since I have no administrative access to the AD server, how am I to
create nested groups? The example shows:

net rpc group add demo -L -Uroot%not24get"

So it seems I would need some kind of administrative account to even
create the nested group. If not an AD account, I do not recall setting
up an smbpassword for root as I did in the past on my samba PDC. I am
not a member of "Domain Administrators" in out AD setup, but that is a
whole different set of questions.

How would I make such a nested group the group owner for
files/directories? Or would I then use the nested group in the "valid
user" line of smb.conf? Use groupmap to associate it with a UNIX group?
See, confusion.

At this moment it seems my worst case/quick fix calls for long "valid
user" lines listing the AD accounts that I wish to have access to
certain shares - kinda' defeats the reason to have groups. Why would
Samba be written to ignore the group memberships?

Thanks in advance to anyone that can help clear up my confusion about
groups!

-Bob Martel

--
***********************************************************************
Bob Martel,System Administrator I met someone who looks a lot like you
Levin College of Urban Affairs She does the things you do
Cleveland State University But she is an IBM
(216) 687-2214
[email]r.martel@csuohio.edu[/email] -Jeff Lynne
***********************************************************************

--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]